X-2
X-2 is a memory resident infector of .EXE programs and employs some stealth techniques to avoid detection. Payload The first time a program infected with the X-2 virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as measured by the DOS CHKDSK program, will have decreased by 3,008 bytes. Interrupt 21 will be hooked by X-2 in memory. Once the X-2 virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 795 bytes, though the file length increase will be hidden when X-2 is memory resident. The virus will be located at the end of the infected file. The seconds field in the file's time in the DOS disk directory listing will have been set to "60". The following text strings are encrypted within the viral code: X-2 ICE-9, -- Made in England." Hi I'am called X-2, get my name right! Look out for the X-3 twins. Systems infected with X-2 will experience the DOS CHKDSK program finding file allocation errors on all infected .EXE programs when X-2 is memory resident. Additionally, execution of some anti-viral programs with the virus in memory will result in a system hang. Removal Delete the infected files. Variants X-1 An earlier variant of the X-2 virus, X-1 is a non-resident direct action infector of .EXE programs. It infects one .EXE program in the current directory each time an infected program is executed. A system hang will then occur. Infected programs will have a file length increase of 568 to 578 bytes with the virus being located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. X-1 activates on March 5th of any year, at which time execution of an infected program will result in the display of the following message and a system hang: ICE-9 Presents In Association with The ARcV X-1 Michelangelo activates -< TOMORROW >- This text is encrypted within the viral code, and is not visible in infected programs. X-1B A minor variant of the X-1 variant described above, this variant adds 572 to 586 bytes to the .EXE programs it infects. It contains the same encrypted text messages as the X-1 variant, and its effect and date of activation are also the same as X-1. X-3B A later variant of the X-2 virus, X-3B is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. Its size in memory is 2,048 bytes, hooking interrupt 21. Once resident, X-3B will infect programs when they are executed, adding 1,060 bytes to the file's size. The file length increase, however, will be hidden when the virus is memory resident. The program's date and time in the DOS disk directory listing will not be altered. X-3B is unable to distinquish when it has previously infected a program, so program reinfections will occur, adding an additional 1,060 bytes with each reinfection. The following text strings are encrypted with the X-3B viral code: X-3b ICE-9 © 1992 ICE-9 Written Out 1992 Look out 4 future releases THE TWINS X-3a & X-3b ARE ON YOUR PC ICE-9 Systems infected with X-3B may experience frequent system hangs when the virus is memory resident. The DOS CHKDSK program will also detect file allocation errors on infected programs when X-3B is memory resident. Category:Assembly Category:DOS Category:Virus Category:DOS virus Category:TSR